1 Part 2 2 AUDIT GUIDELINES 3 Audit Guidelines -- 226 pages 1 Generic Guideline and 34 Process...
-
date post
18-Dec-2015 -
Category
Documents
-
view
219 -
download
1
Transcript of 1 Part 2 2 AUDIT GUIDELINES 3 Audit Guidelines -- 226 pages 1 Generic Guideline and 34 Process...
1
Part 2
2
AUDIT GUIDELINES
3
Audit Guidelines -- 226 pages
1 Generic Guideline and 34 Process Oriented A generic guideline identifies various tasks to
be performed in assessing ANY control objective within a process. This generic guideline extracted all repetitive tasks into one -- to be performed for all control objectives.
Others are specific process-oriented task suggestions to provide management assurance that a control is in place and is working.
4
Audit Guidelines
Purpose of audit guidelines is to provide simple structure for auditing controls
Audit guidelines are generic and high-level in structure
Although intended as a guide for auditing high-level control objectives, CobiT can assist overall audit planning
Enables auditor to review processes against control objectives
5
CobiT supports generally accepted structure of the audit process:
Identification and documentation
Evaluation
Compliance testing, and
Substantive testing
6
Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously. Substantiating the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources.
The IT process is therefore audited by:
7
OBTAINING AN UNDERSTANDING
The audit steps to be performed to document the activities under- lying the control objectives as well as to identify the stated control measures/procedures in place.
Interview appropriate management and staff to gain an understanding of:* Business requirements and associated risks* Organisation structure* Roles and responsibilities* Policies and procedures* Laws and regulations and contractual obligations* Control measures in place* Management reporting (status, performance, action items)
Document the process-related IT resources particularly affected by theprocess under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, and the control implications (e.g., by a process walk through).
GENERIC AUDIT GUIDELINE
8
EVALUATING THE CONTROLS
The audit steps to be performed in assessing the effectiveness of control measures in place or the degree to which the control objective is achieved. Basically deciding what, whether and how to test.
Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying professional judgment.
• Documented processes exist• Appropriate deliverables exist• Responsibility and accountability are clear and effective• Compensating controls exist, where necessary
Conclude the degree to which the control objective is met.
GENERIC AUDIT GUIDELINE
9
ASSESSING COMPLIANCE
The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously, and to conclude on the appropriateness of the control environment.
Obtain direct or indirect evidence for selected items/periods to ensure thatthe procedures have been complied with for the period under review using both direct and indirect evidence.
Perform a limited review of the adequacy of the process deliverables.
Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.
GENERIC AUDIT GUIDELINE
10
SUBSTANTIATING THE RISK
The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniquesand/or consulting alternative sources. The objective is to supportthe opinion and to “shock” management into action. Auditorshave to be creative in finding and presenting this often sensitiveand confidential information.
Document the control weaknesses and resulting threats and vulnerabilities.
Identify and document the actual and potential impact (e.g., through root-cause analysis).
Provide comparative information (e.g., through benchmarks).
GENERIC AUDIT GUIDELINE
11
Audit Guidelines are GUIDELINES
They are a starting point for identifying control tasks and activities associated with particular control objectives.
To plan and conduct the audit, an auditor must add knowledge about the business, risk analysis, and controls; perform adequate audit procedures; and draw conclusions from the results of the audit procedures.
12
Using CobiT to Develop an Audit Program
Start with Control Objectives to refresh the purpose of the control objective and the recommended IT control practices
Use the Audit Guidelines’ generic audit guideline as a starting point
Use the selected process-oriented audit guidelines to refine the audit work program
Select appropriate portions of the Audit Guidelines in sync with selected detailed control objectives (selected control tasks and activities)
13
Using CobiT to Review an Audit Program
Use the Audit Guidelines to benchmark the existing audit program against
Use the Control Objectives’ high-level control objectives to review audit objectives and detailed control objectives to review criteria identification
Use the generic and process-oriented audit guidelines to review audit process and procedures
15
Adopting CobiT
Start by identifying the “need” for use, and how it might be used
Focus on the benefits to be derived from using CobiT
Assess the acceptance and implementation capabilities
Assign priority of multiple uses Identify one or more champions
16
Adopting CobiT For those responsible for systems and those who audit
systems, the value lies in having an organized IT control model that links management control practices to control objectives, and in turn to business objectives.
From a management perspective:– management and IT policy makers such as CEO, CIO, VP of
IT– IT steering committee– business process owners and users
From an Audit perspective:– evaluators and internal/external auditors
17
Factors to Consider
Dimension and depth of the IT environment Organizational structure of IT services Level of internal and outsourced IT functions Relationships of IT, IS Audit, business process
owners, management Management philosophy regarding control and audit Extent of business process reengineering Level of consensus needed
18
Benefits of CobiT
Supports IT governance objectives.
Helps ensure that IT processes are defined and assigned.
Helps to ensure that there is focus on control objectives.
Leads to more cost-effective IT services.
19
Benefits of CobiT
Helps to provide reasonable assurance that:– IT process objectives are understood
– IT risks have been identified
– Appropriate controls have been implemented
– Appropriate monitoring and evaluation processes in effect
– IT process objectives and can be achieved.
20
Benefits of CobiT
Helps to ensure that the organization complies with applicable rules, regulations and contractual obligations.
Opportunity for complementary adoption of COSO and CobiT (or other control models).
Authoritative nature of Cobit encompassing adoption of well-recognized and established standards for IT control.
21
Benefits of CobiT
Strengthens assessment, understanding and exercise of appropriate internal controls.
Provides a good framework for risk assessment and risk management.
Improves communication among management, business process owners, users and auditors regarding IT governance, and between internal and external audit.
22
Benefits of CobiT
Provides a framework for ensuring that outsourced IT functions are addressed in third-party contracts.
Helps to strengthen the relationship between IS Services and the user community through improved SLAs.
Supports management’s efforts to demonstrate due diligence with respect to IT-based operations.
24
Using COBIT
Organizational Tool
Audit Planning and Support
Tool
IT Control Self Assessment Tool
25
CobiT as an Organizational Tool
Provides framework and benchmarks for IT
planning and management Identification of primary IT processes (by
broad management-oriented Domains) Assists in establishing responsibilities and
points of accountability Assists in clarifying IT’s and Audit’s role
26
CobiT As An Audit Planning Tool
“To look at a functional area.”
– “Which functional area?”
– “What systems are involved?”
– “What IT processes are involved?”
– “What are the objectives and risks?”
– “What are the control objectives?”
27
Using CobiT in Audit Planning
IT audit shop planning --- audit engagement selection
Determining type of audit services Engagement planning Framing audit scope and audit objectives to
CobiT Development of audit approach
28
Audit Planning Adequate planning is a necessary first step
in performing effective IT Audits. Need to understand the general business
environment as well as the associated business and control risks.
Assess operational and control risks and identify control objectives during audit planning.
29
Use of CobiT during the Audit Planning
Assessing the control environment and identifying high risk processes
Conducting a high-level policy and procedures review
Conducting a detailed review of policies and procedures against the entire control objectives document
Using CobiT-related matrices
30
CobiT-related Matrices
31
Using CobiT Matrices to Focus on:
IT Functions– Their importance?– Level of performance?– Control documentation?
Responsible Parties of IT– Performed by?– Contracted services?– Primary responsible party?
Risk Assessment– Importance, level of risk, control documentation?
32
CobiT-Related Matrices Submit matrix of processes to IT management to attain
assertions regarding:– Importance, performance and risk of each process– self assessment of how well control is being carried out
for each process Have the review or audit team also independently rate
preliminary understanding of importance, performance and risk of each process
Use matrix of IT processes to be performed and identify who performs the process and who has final responsibility; can be used to identify processes not performed by “traditional” IT organization
33
Importance Performance
Ve
ry
Im
po
rta
nt
So
me
wh
at I
mp
orta
nt
No
t I
mp
orta
nt
No
t s
ure
No
t A
pp
lic
ab
le
IT Process
Ex
ce
lle
nt
Ve
ry
go
od
Sa
tis
fa
cto
ry
Po
or
No
t S
ure
Fo
rm
all
y R
ate
d
No
t R
ate
d
No
t A
pp
lic
ab
le
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organisation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk
PO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes
DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration
DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit
ENTITY SHORT FORM
34
ENTITY LONG FORMInternal WP
Importance Performance Controls Ref.
Very Im
po
rta
nt
So
mew
hat
Imp
orta
nt
No
t Im
po
rta
nt
No
t su
re
No
t A
pp
licab
le
IT Process
Exc
ellen
t
Very g
oo
d
Sati
sfa
cto
ry
Po
or
No
t S
ure
Fo
rm
ally R
ate
d
No
t R
ate
d
No
t A
pp
licab
le
Do
cu
men
ted
No
t D
ocu
men
ted
No
t S
ure
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organisation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk
PO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes
DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration
DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit
35
RISK ASSESSMENT FORMInternal WP
Importance Risk Controls Ref.
Very
Im
po
rta
nt
So
mew
ha
t Im
po
rta
nt
No
t Im
po
rta
nt
No
t s
ure
IT Process
Hig
h
Me
diu
m
Lo
w
Imm
ate
ria
l
No
t S
ure
Do
cu
me
nte
d
No
t D
oc
um
en
ted
No
t S
ure
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organiation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk
PO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes
DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration
DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit
36
Pre-Audit: Performance and Risk
Level of Performance
Function & Operation
Level of
Risk
high A/P low
high payroll low
medium IT processing high
etc.
37
Pre-Audit: Risk/Importance and Control Documentation
Risk/ Importance
Function & Operation
Control
Documentation
Low/medium A/P yes
Low/high payroll none
High/medium IT processing partial
etc.
38
PrimaryPerformed by (1) IT Process Responsible Party
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organisation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk
PO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes
DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration
DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit
(1) Identify organiational units(IT department, within organisation, outsourced or not sure) which perform activities incorporated within the IT process
RESPONSIBLE PARTY FORM
39
Pre-Audit: Functions & Responsibilities
Points of Points of AccountabilityFunction performed by
Function & Operation
Responsible
Party
internal A/P Accounting
outsourced payroll Accounting
IT Dept IT processing VP of IT
etc.
40
Internal Formal Contract/SLA WPPerformed by Controls in place? Ref.
IT D
ep
artm
en
t
Wit
hin
Org
an
isa
tio
n
Ou
ts
ou
rc
ed
No
t s
ure
IT Process
Do
cu
me
nte
d
No
t D
oc
um
en
te
d
No
t S
ure
Ye
s
No
No
t A
pp
lic
ab
le
No
t S
ure
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organisation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk
PO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes
DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration
DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit
CONTRACT SERVICE/SERVICE LEVEL AGREEMENT (SLA) FORM
41
In Prior Prior Audit DispositionScope Opinion of Findings
Yes No IT Process
Un
qu
alifi
ed
Qu
alifi
ed
Ad
verse
Dis
cla
imer
Mate
ria
l W
eakn
esses
Fin
din
gs
Reso
lved
Un
reso
lve
d
N/A
No
t D
ete
rm
ined
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organisation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk
PO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes
DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration
DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit
Insert the number of material weaknesses and/or findings if there is more than one per process category and then reflect the appropriate number under each column.
PRIOR AUDIT WORK FORM
Audits (or audit entities)A B C D E F - - -
COBIT’s 34Processes
PO 1PO 2
.
.
.M 4
S= Pre-audit surveyA= AuditR= Report - Positive conclusion
- Finding
42
43
Use of CobiT in Audit Planning:
Supports objectives of AU.319 “Consideration of Internal Control in a Financial Statement Audit”, and
Risk-Based Audit planning
44
Key Features of Risk-Based Approach
Focuses on the business from a management perspective
Emphasis on knowledge of the business and the technology
Focus on assessing the effectiveness of a “combination” of controls
Linkage between risk assessment and testing focusing on control objectives
45
Risk-Based Audit Planning
What is most critical to the business? What are the CSFs? What are the risks and threats? How robust and appropriate does the
internal control structure appear? What are management’s concerns?
46
Risks to the Business?
Unaware of the risks Poor understanding of CSFs Absence of KPIs No “scorecard” or basis of measurement Absence of monitoring and evaluation Weak IT control environment Loss of data or system integrity
47
Control Risk Assessment
Control Risk assessment at maximum– addresses relevant audit objectives using
substantive tests– perform all applicable substantive tests
Control risk assessment at below maximum– identify control procedures that allow control risk
to be below maximum– design & perform tests of controls– Identify reduced substantive tests
48
Control Risk Assessment
Control Risk assessment at low– perform tests of controls for application and
IT controls– perform analytical procedures (reduced
substantive testing)
49
Control Assessment Steps What is the control objective? Identify the type of control (application or general; primary
or secondary; and preventive, detective, or corrective) What business objective is impacted? Appropriateness of the stated control? Number of components used to execute the control and
number of subsystems or control objectives impacted? Evidence that the control is in effect, or impact that it is
not.
50
Setting Audit Objectives
Depends on the type of audit Best phrased when focused on whether
selected control objectives are met Build the linkage between the control
objective and the controls to the audit objectives and audit procedures (review and examination steps) to obtain sufficient audit evidence to draw conclusions
51
Use of CobiT in
The Pre-Audit Process
52
Overview of Pre-Audit Process
Auditee selection (may be CobiT driven) Off-site preliminary information gathering Entrance Conference and on-site preaudit
information gathering (reference to CobiT) Develop proposed scope and audit objectives Internal scope meeting (review & approval) Finalize audit work program (CobiT-framed) Engagement conference (reference CobiT as
criteria) and audit (CobiT as examination criteria)
53
Pre-Audit Planning
Who are they? (type of organization, industry) What do they do? (mission, business objectives) How do they plan to do it? (strategy/plan) How do they do it? (functions, processes) With what resources? (IT, operational resources,
management & staff, raw materials, etc.) By what rules? (policies, standards, legal and regulatory
requirements) Under what risks? (risk analysis)
54
Pre-Audit Planning
Who does it? (internal & external players, their roles and
responsibilities) Who knows what is done? (reporting lines,
designated points of accountability) How do they known it is done right?
(measurement registers, assurance mechanisms, evaluations,
score cards, etc.) Where are they? (global or national, centralized or
distributed organizational structure, etc.)
55
On-Site Pre-Audit Entrance conference and subsequent interviews
(CobiT discussion) Tour of facility and observations Documentation review (high-level CobiT) Obtain management assertions (CobiT matrices) Identification of data/information sources and
their information criteria (CobiT) Risk and exposure analysis Review of internal controls (includes CobiT) Determination of planned materiality
56
On-Site Pre-Audit Procedures
Identification of accounting and operational control objectives and related control practices (CobiT)
Perform selected tests of stated procedures or controls (CobiT)
Determination of auditability Summary conclusions and development of
proposed scope and audit objectives
57
Internal Scope Meeting
AIC and manager present understanding of the entity and its audit requirements
Provides opportunity to discuss CobiT-related matters
Acquaints the Audit Shop’s management with proposed audit and CobiT-related matters
Serves as review and approval point for scope and audit objectives
58
Internal Scope Meeting
Addresses fundamental elements of preaudit planning; preliminary audit work; development and documentation of audit scope, objectives and methodology; identification of control objectives and criteria; and staffing and logistics issues
Cobit helps to ensure appropriate audit direction and allocation of audit resources to the engagement
Serves as a “practice run” for presenting audit scope and audit objectives, methodology and criteria (including CobiT) to the auditee
59
For the Audit Engagement
May identify CobiT as criteria at entrance conference
Use CobiT to develop and benchmark audit work programs
Introduce generally accepted control practices to auditee via CobiT
60
Where CobiT Helps on Pre-Audit Considerations
Framing IT processes by domains for the existing IT environment and automated systems
Identification of major processes and activities which support the entity’s mission and business objectives Review of acquisition and development plans or projects for IT
Performing risk analysis and internal control review
61
Using CobiT in other
Audit Areas
62
Using CobiT onUsing CobiT onSystem Development System Development
AuditsAudits
63
Three Types of System Development IT Audits
Type 1: examination of development methodology, policy and procedures
Type 2: examination of development and implementation of a particular information system
Type 3: participation as “control advisor” throughout the development and implementation process
64
System Development Audit Planning
Conduct preliminary survey and pre-audit work sufficient to select the “type” of system development audit
Use CobiT to assist in framing the audit with respect to processes and detailed control objectives applicable to the “type” of development audit
Use CobiT processes and detailed control objectives to identify criteria
65
System Development Audit Planning
Start with CobiT summary table to select processes directly impacting application(s)
Suggest focus on Planing & Organization, Acquisition & Implementation, and Monitoring domains for development audits
Note: not all processes will be selected nor will detailed control objectives within each process
Select applicable IT control practices (tasks and activities) for each process
66
SDLC Audits Type 1
The IT auditor reviews the organization’s system development and implementation procedures. Here, the auditor would determine whether appropriate SDLC procedures were in place to ensure that automated systems developed meet user needs, function as intended, meet any required legal or regulatory requirements, are sufficiently controlled to provide reasonable assurance for data and system integrity, and that the system operates effectively and efficiently.
67
Type 1 Development Audit
Process audit Determine whether appropriate SDLC
policies & procedures are in place Emphasis on Planning & Organization and
Acquisition & Implementation domains Detailed control objectives focused on good
practices for development
68
Type 1 Development Audit Assumptions
Linkage to Planning & Organization processes based on the premise that PO’s set the stage for IT environment and development
Audits or reviews of SDLC methodology should be in context of organization’s IT strategy, policies, and standards
69
SDLC Audits Type 2
The IT auditor reviews the development and implementation of a particular system, determining whether the organization’s (and generally-accepted) development procedures were followed, whether the system meets the needs of the organization and its users, is maintainable, and operates efficiently.
70
Type 2 Development Audit
Compliance audit Operations/Performance audit Post-implementation examination Focus on compliance with SDLC methods
and assessment of the system’s “operational status”
May include 3rd-party review
71
SDLC Audits Type 3
The IT auditor participates in the development and implementation of the automated system where the auditor serves as a non-voting member of the development team. Under this arrangement, the auditor serves as an advisor, a “control consultant”.
72
Type 3 Development Audit
Management advisory services (MAS) Use CobiT to facilitate discussions on design,
development, testing, etc. May involve audit work of each phase Greater emphasis placed on under-standing of
Audit’s role as “advisor” Good opportunities to design control self
assessment processes
73
Processes Selected for Type 1, 2 & 3 Development Audits
PO1: Define strategic IT plan PO2: Define information architecture PO4: Define organization & relationships PO5: Manage the investment PO6: Communicate management aims PO8: External requirements compliance PO9: Assess Risk PO10: Manage projects PO11: Manage quality
74
Processes selected for Type 1, 2 & 3 Development Audits
AI1: Identify automated solutions AI2: Acquire/maintain application software AI3: Acquire/maintain technology architecture AI4: Develop & maintain procedures AI5: Install & accredit systems AI6: Managing changes
M1: Monitor the process
75
Detailed Control Objectives by Process for Type 1 SDM Audit
PO1
PO2
PO4
1.1 Assessment of technology issues in L-R & S-R plans
1.5 Feasibility studies performed
2.1 Current architecture model 2.2 current corporate data dictionary 2.3 data classification scheme
4.1 Oversight role of steering committee
76
Detailed Control Objectives by Process for Type 2 SDM Audit
PO1
PO2
PO4
1.2 Development initiatives should be in L-R & S-R plans
1.5 Feasibility studies performed
2.2 current corporate data dictionary 2.3 data classification scheme 2.4 Maintain security levels for
information classes
4.1 Oversight role of steering committee etc.
77
Detailed Control Objectives by Process for Type 3 SDM Audit
PO1
PO2
PO3
1.3 IT-related issues to be considered in L-R planning
1.5 Plans to reflect IS resources
2.2 Corporate data dictionary incorporates data syntax rules
2.3 Placement of data on information classes
2.4 Implement security levels
3.4 Software acquisition plans 3.5 Standardization - infrastructure
78
System Development Audit Work Program
Use Control Objectives and Audit Guidelines together to start audit work program.
While primary focus may be on AI1-AI6, selected control objectives from Planning & Organization.
Include appropriate SDLC requirements of the organization, if available.
79
Summary Thoughts on Using CobiT on Development Audits
Participate in quality assurance for CobiT targeting software development
Use CobiT as for risk assessment and subsequent allocation of audit resources to development projects
Use CobiT to develop Type 1, 2, & 3 development audit work programs
Used CobiT to evaluate adequacy of audit approach on type 3 SDM audits
80
Developing a Change Control Audit Program
Select relevant objectives from the 34 high-level control objectives (e.g., AI1, AI2, AI4, AI6, DS9)
Select relevant detailed control objectives (e.g., AI 6.2)
These become audit objectives in the audit program
Compare the audit program to the COBIT Audit Guidelines
81
Using Cobit on Management Audits
Framing audits via Planning & Organization Domain
Using CobiT to evaluate assignment of responsibility of IT-related functions.
Using CobiT to evaluate points of accountability.
82
Using CobiT for Review of Using CobiT for Review of ResponsibilitiesResponsibilities
& Evaluation of Points of & Evaluation of Points of AccountabilityAccountability
83
Conducting Responsibility and Accountability Reviews
Determine the extent to which discrete tasks and activities referenced by CobiT are in place.
Determine the extent to which policies, procedures, and mechanisms referenced by CobiT have been established.
84
Factors to consider when identifying relevant tasks and activities
Not all tasks & responsibilities have an assigned responsible party
When planning your assessments (extent, scheduling, area to be reviewed, MAS), recommend comprehensive review by:– domain– key process(es)
85
Factors to consider when identifying relevant tasks and activities
If reviewing the control environment, you may elect to target tasks and responsibilities with CobiT-designated responsible parties.
Consider the difference between single tasks and on-going activities with respect to the purpose of your review or audit work.
86
Task/Activity Monitoring & Evaluation
Task or
Activity
Responsibility
to:
Monitored
by:
Evaluated
by:
Control
task
Establish a
Function or procedure
Initially &
Upon
Changes
Periodic
At least
annual
Control
activity
On-going
Function or activity
On-going
With
reporting
Periodic
To
On-going
87
“Lock in” Responsibilities Complete “responsible party” form Prepare list of responsible parties Based on entity and organizational structure,
and CobiT responsibility designations, agree or modify responsibility designations for the selected tasks and activities
Establish “Locked in” responsibility list
88
“Locked in” Responsibility List
Serves as established list of desired responsibility assignments.
Use as criteria for reviewing responsibility assignments for entity under audit.
89
Review and Evaluate
Clarity and appropriateness of responsibility definitions
assignment of responsibilities points of accountability reporting of actions taken and activities mechanisms to monitor and evaluate
adequacy of exercise of responsibilities
90
Determine extent to which Audit Team Needs to Perform:
A review of assigned responsibilities for discrete tasks during pre-audit.
A review of assigned responsibilities for activities during audit
91
Examination Steps
Determine whether IT-related responsibilities have been adequately defined and assigned, and that adequate points of accountability are in place.
Determine whether adequate controls and mechanisms are in place to monitor, evaluate, and hold accountable internal and outsourced parties for assigned responsibilities and desired deliverables
92
Evidence gathered in review of assigned responsibilities and points of accountability
Can assist assessments of internal structures for financial and operations audits
Can serve to identify the potential cause of audit results or findings
93
Evidence gathered in review of assigned responsibilities and points of accountability
Can assist management in reviewing and determining the adequacy of structures of accountability when organization incur organizational or significant technical change
Can provide insight into recommendations regarding task and activity assignment and monitoring
94
Using Cobit to Address Third-Party Providers of IT-Related Services
Determine whether desired processes are in place and establish accountability
Agree on levels of control Use CobiT to help design service contracts
by identifying deliverables and responsibilities
Use CobiT for ongoing monitoring and evaluation of providers and partners
95
As An IT Self Assessment Tool
“How am I doing against recommended
COBIT IT benchmarks?” Use COBIT to facilitate operational and
control improvements. Identify controls that should be in place. Reallocate resources to more important
projects.
96
Using Cobit on Control Self Assessment
Use CobiT to assist the development of Control Self Assessment programs by establishing benchmarks, gathering appropriate information on control objectives and control practices, and developing action plans.
Benchmarking - Self-Assessment
0 Very poor Complete lack of good practice1 Poor Recognized the issues2 Fair Some effort made to address issues3 Good Moderately good level of practice4 Very good Advanced level of practice5 Excellent Best possible, highly integrated
Source: Erik Guldentops, DC presentation, July 1997. 97
98
0 Very poor. Complete lack of good practices. Organization has not recognized that there is an issue to be addressed.
1 Poor. There is evidence that the organization has recognized that the issues exist and need to be addressed. There may also be some rudimentary attempts to solve the problem although these are relatively ineffective without greater levels of good practice to support them
2 Fair. There is some effort within the organization to provide a level of practice which is acceptable. This includes partial definitions of responsibility, organizational models and processes. Although these may not have been followed through to deliver effective and acceptable levels of practice.3 Good. There is a moderately good level of practice which should not draw undue criticism. The processes are reasonably well defined at levels of detail which make them effective. Responsibilities and organizational models are at a similar level of development. There is a recognition of the need for integration, but this has not evolved very far.
99
4 Very Good. There is generally a high level of good practices, with advanced tools being used to gain productivity, cost reduction and effectiveness. There is also considerable integration of related practices to give consistent and effective control within this area.5 Excellent. The very best possible levels of good practice, given the available knowledge and tools. There is also very high level of integration across all aspects related to this area.
100
101
Management GuidelinesIncludes:– Critical Success Factors– Key Performance Indicators– Key Goal Indicators– Maturity models
CCOBIOBITTCCOBIOBITT
102
HGHGHGHGHGHG
103
Using the Management Guidelines
104
IT Management Is IT well managed?
– Are we doing the right things?– Are we doing them the best way?– Are they being done well?– Are we achieving desired benefits?
Is IT properly controlled? Do we exercise due diligence? Is management driving the information
technology?
105
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives.
Promotes process focus and process ownership
Divides IT into 34 processes belonging to four domains
Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT
EffectivenessEfficiencyAvailability,IntegrityConfidentialityReliabilityCompliance.
PlanningAcquiring & ImplementingDelivery & SupportMonitoring
CobiT : An IT control frameworkCobiT : An IT control framework
106
“Due diligence” IT is strategic to the business IT is critical to the business Expectations and reality don’t match IT involves huge investments and large risks
Why governance?Why governance?
107
If so, wouldn’t you want to know whether your information technology organization is:
Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities and acting
upon them?
IT is strategic to most businessesIT is strategic to most businesses
108
• Generic and action oriented• For the purpose of
• IT Control profiling - what’s important?• Awareness - where’s the risk?• Benchmarking - what do others do?
• Supporting decision making and follow up• Key performance indicators of IT processes• Critical success factors of controls• Control implementation choices
Management Guidelines
109
Management GuidelinesCritical Success Factors the most important things to do to increase the
probability of success of the process observable - usually measurable - characteristics of
the organisation and process are either strategic, technological, organizational or
procedural in nature focus on obtaining, maintaining and leveraging
capability and skills expressed in terms of the IT process, not necessarily
the business
110
Management GuidelinesKey Goal Indicators describe the outcome of the process and are therefore a ‘lag’
indicator, i.e., measurable after the fact Are an indicator of the success of the process but may also
be expressed in terms of the business contribution if that contribution is specific to the IT process
represent the process goal, i.e., a measure of “what”, a target to achieve
may also describe a measure of the impact of not reaching the process goal
KGIs are IT oriented but are also business driven Are expressed in precise measurable terms wherever
possible
111
Management Guidelines
Key Performance Indicators are a measure of “how well” the process is
performing predict the probability of success or failure in the
future, i.e. KPIs are ‘LEAD’ indicators are process oriented but IT driven focus on the process and learning dimensions of
the balanced scorecard are expressed in precise measurable terms should help in improving the IT process
112
Maturity Models• Refer to business requirements and control capabilities
at different levels
• Are scales that lend themselves to pragmatic comparison
• Are scales where the difference can be made measurable in an easy manner
• Are recognizable as a “profile” of the enterprise in relation to IT governance and control
• Assist in determining As-Is and To-Be positions relative to IT governance and control maturity
• Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level
113
0 1 2 3 4 5
Non-Existent Initial Repeatable Defined Managed Optimised
Enterprise current status
International standard guidelines
Industry best practice
Enterprise strategy
Legend for symbols used Legend for rankings used
0 - Management processes are not applied at all1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communicated4 - Processes are monitored and measured5 - Best practices are followed and automated
Start from a Maturity Modelfor Self-Assessment
114
Measures?
Scales?
Indicators?
115
Generic Maturity Model - Dimensions
Understanding and awareness Training and communications Process and practices Techniques and automation Compliance Expertise
116
UNDERSTANDING& AWARENESS
TRAINING &COMMUNICATION
PROCESS &PRACTICES
TECHNIQUES &AUTOMATION
COMPLIANCE EXPERTISE
1 recognition sporadic communica-tion on the issues
ad hoc approaches toprocess and practices
2 awareness communication onthe overall issue andneed
similar/commonprocesses emerge;largely intuitive
common tools areemerging
inconsitent monitoring inisolated areas
3 understand need toact
informal trainingsupports individualinitiative
existing practicesdefined, standardis-ed& documented;sharing of the betterpractices
currently availabletechniques areused; minimumpractices areenforced; tool-setbecomesstandardised
inconsistent monitoringglobally; measurementprocesses emerge; ITBalanced Scorecard ideas arebeing adopted; occasionalintuitive application of rootcause analysis
involvement ofIT specialists
4 understand fullrequirements
formal trainingsupports a managedprogram
process ownershipand responsibilitiesassigned; process issound & complete;interal best practicesapplied;
mature techniquesapplied; standardtools enforced;limited, tactical useof technology
IT Balanced Scorecardsimplemented in some areaswith exceptions noted bymanagement; root causeanalysis being standardised
involvement ofall internaldomain experts
5 advanced forward-lookingunderstanding
training andcommunicationssupports externalbest practices anduse of leading edgeconcepts/techniques
best external practicesapplied;
sophisticatedtechni-ques aredeployed;extensive,optimised use oftechnology
global application of ITBalance Scorecard andexceptions are globally &consistently noted bymanagement; root causeanalysis consistently applied
use of externalexperts andindustryleaders forguidance
Generic Maturity Model - Dimensions
117
0 Non-Existent. Complete lack of any recognizable processes. The organisation has not even recognised that there is an issue to be addressed.
1 Initial. There is evidence that the organisation has recognized that the issues exist and need to be addressed. There are however no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized.
2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
3 Defined. Procedures have been standardized and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Optimized. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
Generic Maturity Model
118
In summaryMaturity Models• Refer to business requirements and the enabling aspects at the
different levels
• Are scales that lend themselves to pragmatic comparison
• Are scales where the difference can be made measurable in an easy manner
• Are recognisable as a “profile” of the enterprise in relation to IT governance and control
• Assist in determining As-Is and To-Be positions relative to IT governance and control maturity
• Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level
• Are neither industry specific nor always applicable; the nature of the business will determine what is an appropriate level
119
IT Governance GuidelineIT Governance Guideline
Governance over IT and its processes with goal of adding value to the business, while balancing risk versus return
ensures delivery of information to the business that addresses the required information criteria and is measured by KGIs
is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT
considers CSFs that leverage all IT resources and is measured by KPIs
120
Objectives understand the issues and the strategic importance of IT ensure that the enterprise can sustain its operations and ascertain it can implement the strategies required to extend its activities
into the future
Goal ensuring that expectations for IT are met and IT risks are mitigated
Position within broad governance arrangements that cover relationships among
the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which:
the entity's overall objectives are set the method of attaining those objectives is outlined the manner is which performance will be monitored is described
IT governance summarizedIT governance summarized
121
Audit Organization
Use CobiT to identify and assess risk of
IT processes
Use CobiT-related matrices in standard
audit work programs
Frame IT audits via CobiT
Development of MAS focused on CobiT
122
Cobitizing Audit -- Phases
Self assessment and modification Internal audit guidelines
– Text of policy & procedure manual– Generic work programs and matrices
Overall audit planning Engagement planning Discussions with auditees for self assessment Modify QA to include CobiT Strengthen focus on business processes, system integrity, and
IT environment
123
CobiT Recognizes IT is an integral part of the organization IT governance is an integral part of corporate
governance Focus on control objectives can strengthen
appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a
system of internal control
124
Learned So Far
Need Internal Control refresher course covering control models (such as COSO), CobiT, internal control acts, SAS 78, techniques in evaluating controls
There are good opportunities to leverage the understanding of internal controls and CobiT among management and staff, auditors, out-sourced services, academic community, and vendors
125
Learned So Far
Audit Teams and auditees seem to have better understanding of control objectives with CobiT
Increased consistency of discussions regarding IT domains, control objectives and controls
Increased emphasis on information criteria
126
Learned So Far Pilot use of CobiT Network and share “ideas” on CobiT CobiT has assisted identification of IT-
related processes, who performs them, and who is responsible
CobiT provides Value-Added opportunities and time savings
CobiT reinforces the final objective of effective and efficient operations
127
A Tip regarding CobiT
CobiT is generic - adapt it to your organization in cooperation with the business-process owners!– Determine focus (quality, security, fiduciary)
– Harmonize existing policies and procedures with CobiT
– Determine control responsibilities– Identify key performance indicators and critical
success factors
128
Another Tip or Two Study it carefully -- it takes some time to
understand - keep in mind that you are dealing with a control framework
For auditors and reviewers, provide sufficient time for using CobiT in pre-audit and engagement planning.
Promote discussions on CobiT Identify CobiT as a control framework and
basis for benchmark criteria and evaluation
129
The Last of the Tips Use CobiT initially as a control model and tool
to assist controls evaluations, framing audits, identifying criteria, and performing high-level benchmarking.
Share your insights regarding control design and evaluation
Study the Management Guidelines
130
4 major elements• COBIT as an open standard for increased world-wide adoption covering summary, framework and detailed control objectives;
• Three proprietary guideline products -- Implementation Tool Set : how to introduce the COBIT standard in the enterprise
-- Audit Guidelines : how to audit against the standard
-- Management Guidelines : how to benchmark, implement and self-assess
COBIT Product Family• E x e c u t i v e S u m m a r y• E x e c u t i v e O v e r v i e w• C a s e S t u d i e s• F A Q ’ s• P r e s e n t a t i o n s• I m p l e m e n t a t i o n G u i d e - M a n a g e m e n t A w a r e n e s s - I T C o n t r o l D i a g n o s t i c
I m p l e m e n t a t i o nT o o l S e t
E X E C U T I V E S U M M A R Y
F r a m e w o r kw i t h H i g h - L e v e l C o n t r o l O b j e c t i v e s
M a n a g e m e n t G u i d e l i n e s
A u d i tG u i d e l i n e s
D e t a i l e d C o n t r o lO b j e c t i v e s
K e y P e r f o r m a n c eI n d i c a t o r s ( p r o c e s s )
C r i t i c a l S u c c e s s
F a c t o r s ( c o n t r o l ) B e n c h m a r k s
C O B I TP r o d u c t F a m i l y
131
CobiT
For additional information:
www.isaca.orgwww.ITgovernance.org
or email or give me a call at(617) 727-6200 ext 135
Go Forth SafelyAnd COBITize
Thank You
132